GDPR: What You (And Your Store) Need to Know About This New Data Protection Law

On May 25th, the General Data Protection Regulation (GDPR) will take effect. The GDPR is the European Union’s new data privacy law which impacts how all companies (big and small) collect and handle personal data about their European customers.

We know that every business is different, and some of you might need more preparation than others to comply with the GDPR. We fully believe that we will comply with the GDPR the moment it takes effect, and that you will be able to use our platform in a way that also complies with the GDPR from the outset. Because we think it’s important that you trust in our data protection practices, we wanted to share the specific steps Shopify has taken to support your efforts (and ours) to prepare for the GDPR.

What has Shopify already done to prepare for the GDPR?

We’ve been hard at work preparing for the GDPR for a while. So far, we have:

Updated our Terms of Service to automatically include for all merchants a Data Processing Addendum governing how we process your European customers' personal data

Updated our Privacy Policy to make sure we provide information around the rights individuals have under the GDPR, and more details around our processing of personal data

Updated our Cookie Policy to include specific information about the cookies that we place through your storefront

Updated our privacy policy generator to include some of the information that you may be required to provide under the GDPR

Updated our marketing opt-in to allow you to be able to set it up as unchecked for your store, and also allowed you to tie abandoned cart notifications to whether the customer has opted into marketing

Prepared a whitepaper to explain how we are approaching certain legal requirements under the GDPR

Prepared a document to help you identify next steps as you prepare for the GDPR

What else will Shopify have ready before May 25 for the GDPR?

We are also working on a few important projects that we will be releasing before May 25:

Rolling out a way for you to request that individual customer records be deleted, or to request all of the information we have collected about a customer for an access request in your admin. When you request that individual customer records be deleted, we will also be propagating these requests to the relevant apps you have installed on your store.

On May 25th, you can find the information and deletion request options on each customer's profile in Shopify.

We will also be updating our app store interface so that you can see exactly what personal data the apps you have installed (or want to install) request access to, as well as a more detailed privacy policy provided by the app developer.

We recognize that you will need to independently prepare for the GDPR on your end, and have put together a document to help you identify your next steps in ensuring that your store complies with the GDPR. That said, the GDPR is an extremely complicated set of requirements that will apply differently from store to store, and we recommend speaking with a lawyer or data protection professional if you have specific questions about how the GDPR applies to your business.